I remind some re-publishers that these researches are under copyright and you must contact me for more information’s.
Ghostnet networks : are you a soldier ?
First of all, what is the difference between botnet and ghostnet?
The term ghostnet was used for different attacks from china computers.
Techniques used were interesting to make researches, because, the attack flows were so intense that scientifically difficult to confirm there were botnet capabilities.
The main difference that botnet activities don’t use the multi-level ramification networks, and don’t use the cloud techniques.
We will see in this section the main difference between botnet and ghostnet.
What is the current situation?
Here are the different types of delinquencies that a simple user computer is able to have?
Type of home user spying:
To spy users:
Mails accounts (passwords, secure web site accesses, etc)
Web2.0 acounts
Credit cards, bank logins and bank accounts,
Evasion of identity cards, passports, driving licenses, social security cards & numbers
Internet providing to make the user computer as a SPAM servers or bot (Zeus)
Underground Billing system for Rogues & FakeAlert business
Underground botnet administration consoles or Databases of zombie computers
Internet providing to make the user computer as a SPAM servers or bot (Zeus)
Cyberwar soldier from the home computers users :
Botnet soldier : most of time IRC techniques are used
Ghostnet soldier : use the HTTP2P techniques
Internet providing to make the user computer as attacks codes and instructions repository (most of time encrypted on the hard disk and hidden on bad physical hard disk sectors)
The attack sequences and the logical steps that the soldier (the home computer) can do
Logs repository of the status and states of the current attack
This computer has its own fake domain attribution transparently.
Here is ghostnet malware encyclopedia phenotype that shows us the computer user perception face to such of malware. These perceptions are typically the behaviors that a computer and/or system can show on a normal uses. So these perceptions are often ignored by users.
The reality is other!
Here is ghostnet malware encyclopedia phenotype that shows us all the potential ghostnet technologies that can be invisible and found randomly on computer users (depending the power of the ghostnet)
Ghostnet:
It is a world wide exponential capacity of botnet transformations.
Ghostnet techniques use the clouding on HTTP2P protocol.
They use internet dynamic DNS the most useable to make the user computer as a soldier
They do some bridge reference on search engines as google, yahoo search, ask, etc of home users or enterprise computers
They can have the control to make the computer as a bridge, a repository and/or an attacker
Objectives:
DOS,
DDOS of countries
DDOS important sales companies (VOD, streaming, corprates sales, etc),
To be repository of countries strategies, political, or other documents,
To be repository of terrorist schema and documents
To maintain a quality of service of the ghostnet on calculation and bandwidth capabilities
To be repository of FAKEAV and Rogues billing systems
To stay undetectable by AV and Firewalls including hardware firewalls.
The Clouding or Cloud Computing:
Is the technique that let to move all computer software’s, services, billing to a powerful and professional computers/servers infrastructures.
In fact, it is a wonderful marketing invention to force customers and enterprise to pay more and more. Anyway, they will explain lot of advantages like your computers need more power, don’t buy, we will provide you the software on several big servers!!!! You see the message!
Anyway now all is on the cloud, have a look on the following pictures:
In fact, it is the BOINC that demonstrate that the cloud can work. The SETI@Home is a perfect example to cloud the results that screen savers calculations do on users computers during that they drink … coffee, of course !
Today, the SETI@HOME has PER HOUR 573.000 online computers for a POWER of 5,551.80 Teraflops.
The ghostnet is the MANDATORY evolution of botnet that need to be more and more big.
I already publish some posts concerning my researches on botnet on this blog.
Historical steps :
Since the born of downadup (confiker) I start epidemiological researches.
I put in place a controlled active contaminated architecture, and let the malware to live its life. Millions of logs had been collected to analyze its behaviors since the start period.
In end of august 2009, my probes sent me some information’s that some behaviors changed : some files were created, checksums changed regularly, but no other new processes were created.
I decided to reinforce the controlled contaminated infrastructure and decide to open not one network but three geographically and networks independent in my campus.
In February 2010, the network activities were different as usual, but the files continue to change as usual.
Here are the results of these latest months since Feb 2010.
The ghostnet uses clouding on several layers of computers. The botnet only one.
Ghostnet uses the network, CPU, RAM capabilities of infected users computers.
Malware clouding that use networks multi-layers, let the ghostnet to reinforce the number of active computers, but also to have an enormous bandwidth and power of CPUs calculations.
Here are the theorical predictions of capabilities shown on the 3 different infrastructures of the contaminated controlled networks on the campus:
As we can see on this picture, that after isomorphic researches and the homomorphic report, the behavior changes depending the bandwidth network, cpu and ramp capabilities.
It is interesting that with the same malware codes executed on the same time, on several differents networks, computers and architectures, that the behaviors are different.
The following screen shot show the bridge techniques used now but this malware.
In fact, at its borning, the reseaches were based on more than 500 domains names each two hours. Today the malware search 5 domains names, because they use only ONE same domain name, but the IP change as shown the following shot. It is the same domain name, but have a look on the IPs. The 2 shots were taken at 3 minutes intervals.
Here is the experimentation that was done the D day to analyze the ramifications.
I describe you the processes done on this experimentation:
I installed before infection a network probe
I infect a controlled home user computer
I wait that the fake domain name was created for this computer
I wait that this computer is referenced on the search engine
We can start the experimentation.
The worm will start the research activation of other hosts computers the most near of our infected computer geographically.
In the following picture, the worm goes to fr.ask.com because the IP of our infected computer is located in France.
By this search engine, the worm will find some hosts to be include on ramifications the most closed geographically OR and this is important to know, will join the ramification that is needed. In other words, if one of ramifications needs some specific capacities to survive, our infected computer will join this particular ramification!
Once done, we are ready to start the ramification profiling.
We take the fake domain name that the worm tries to reach.
Our probe will give the IP corresponding of the fake domain name.
So we profile the fake domain name by its IP in the first step.
We will see if the IP is a standalone computer, in this case we are in front of botnet techniques, if it is more than one IP, that’s mean ramification.
In this case, we are face of a ghostnet.
You can see multiple fake domains names referenced at this step.
That’s mean that the IP address that our infected computer tries to reach is a ‘Bridge’
What we can conclude at this step:
A. we are face to a clouding network
B. it demonstrates that the evolution of this worm was done, and that now, no need to try to reach 500 fake domains to check if attack codes or instructions are available, only one or two are enough.
Let continue our investigation.
I will choose one of these domains to follow to check if the stair of ramification is stop after this first stair or not.
We can see that a ramification is there
Now, I will show you two cases:
An other ramification that will drive us to another one.....
And in the following picture, we can see the ended point. This end point is a simple computer user.
All of this, what for?
They have power with the infrastructure that we know now. The every day is to get some new computers to increase more and more the power of such of invisible network.
The preferred ghostnet attacks are the DDOS.
In fact, simple floods are sended to the victims or branch of victims.
The following picture will show an example (in french but easily translated by the concept) :
What is the real power of such of malwares network?
A scientist published a graphical of his researches concerning this kind of network.
That is demonstrating the power of such of network.
Security point:
Users must understand that new generations of worms knows how to modify the software firewall, but also the xDSL boxes (the worm tries to connect itself on SSH or http with brute force techniques.
Here is an example of a Orange LiveBox that keeps the factory user/password authentification, I mean : admin/admin
The blue lines are the lines that be added by the worm.
We must note, that the worm didn’t open any port on the .15, because it is a linux computer.
But the 2 others IP are infected by the ghost.
We also can note, that only 1 IP has the 80 port opened not both.
I currently in contact with CISCO R&D, and thy will give me a security software that is able to give me more reports.
To be continued on this section….
